TRIST: Circumventing Censorship with Transcoding-Resistant Image
Steganography
Christopher Connolly, Patrick Lincoln, Ian Mason, Vinod Yegneswaran
connolly@ai.sri.com, {lincoln, iam, vinod}@csl.sri.com
SRI International
Abstract
We explore the viability of extending state-of-the-art
image steganography techniques for bypassing censor-
ship. Our quest for a scalable steganographic technique,
which is robust against automated transcoders that refor-
mat images in-flight, led to the implementation of a pro-
totype system called TRIST1 that embeds data by se-
lectively modifying bits in the frequency domain of the
image. By choosing heavily quantized frequency compo-
nents at low JPEG quality values, we can robustly embed
information within images, and demonstrate how this in-
formation survives a number of transformations, includ-
ing transcoding to higher JPEG quality levels and other
perturbations, such as image resizing (within bounds).
We evaluate our system by building a prototype of a
transcoding-resistant steganography library that we inte-
grate with StegoTorus [36]. Our evaluations demonstrate
that StegoTorus integrated with TRIST provides reason-
able bandwidth capable of supporting basic web surfing
along with transcoding resilience. Finally, we describe
how our system can be adapted to counter state-of-the-
art statistical attacks such as blockiness detectors.
1 Introduction
Censorship attempts by various countries to block
anonymity systems, such as Tor, have precipitated the
development of diverse proxy systems that aim to
evade censorship by imitating popular protocols such as
HTTP [7, 36] and Skype [27]. There are multiple sys-
tems that have attempted to use image steganographic
techniques to bypass censorship. These include proxy
systems such as Infranet [8] and offline systems such
as Collage [3] and MIAB [20] that rely on social-media
sharing sites like Flickr [12] and web blogs to dis-
tribute steganographic content. However, these stegano-
graphic schemes aren’t resilient to basic image transfor-
mations routinely performed by many of these sites to
optimize storage and bandwidth. Furthermore, a sim-
1 derives from trist/tryst meaning a secret meeting or rendezvous;
1
ple and effective means to disrupt the use of such sys-
tems involves the deployment of commodity off-the-
shelf (COTS) transcoding proxies [6, 16, 33] that seek
to improve performance by dynamically re-encoding im-
ages at lower quality levels and rescaling.
To address these limitations, we propose a new
steganographic approach that operates on the frequency-
domain of images. By choosing heavily quantized fre-
quency components at low JPEG quality values, we can
robustly embed information within images, and this in-
formation survives a number of transformations, includ-
ing transcoding to higher quality, Not surprisingly, when
starting at a low base quality level, the message survives
transcoding to a higher quality and back to the base qual-
ity. Heavily quantized frequency components tend to be
stabilized because they can only take on a limited num-
ber of values. More interestingly, the embedded message
survives image rescaling, as long as the extraction occurs
after an inversion of the scaling operation. Depending on
the cover image and the frequency components used, the
message can survive an image reduction of up to 75%, or
an image expansion of up to 150%.
Motivated by these results, we design and implement a
prototype general purpose library to facilitate the devel-
opment of transcoding-resistant steganographic systems.
We evaluate the prototype library by extending the Ste-
goTorus pluggable transport with a new JPEG steganog-
raphy scheme. Our evaluation results indicate that the
overhead of our transcoding-resistant JPEG steganogra-
phy scheme is comparable to that other schemes and does
not significantly impact the performance of StegoTorus.
We also evaluate the resilience of our scheme to statisti-
cal attacks, specifically the blockiness detector using cal-
ibration and reembedding that has been proven to be ef-
fective against many JPEG steganography schemes. We
find that such detectors can be evaded by transcoding the
image to higher quality levels before transmission and
transcoding back to lower quality before destegging.
Contributions. In summary, the contributions of our
paper include the following:
 System File Type Domain
JSteg [35] JPEG frequency
JP Hide&Seek [25] JPEG frequency
F5 [37] JPEG frequency matrix encoding, permutative straddling
OutGuess [30] JPEG frequency
HUGO [11] JPEG frequency
YASS [34] JPEG spatial
UNIWARD [18] JPEG both
Table 1: Summary of notable prior JPEG steganography systems and steganalysis techniques
1) Presentation of transcoding-resistant steganography as
a problem for censorship circumvention; 2) Develop-
ment of a steganographic embedding scheme for JPEG
in the frequency domain; 3) Evaluation of the proposed
scheme for transcoding resistance properties; 4) Integra-
tion with the StegoTorus pluggable transport and evalua-
tion of system performance; and 5) Evaluation of system
resilience to statistical attacks.
2 Related Work
We broadly categorize prior related work as belonging to
four categories and discuss them below.
1) Transcoding Techniques. Transcoding techniques
[6, 5, 16, 33] seek to improve bandwidth performance at
the expense of quality by dynamically converting multi-
media objects from one form to another along the net-
work path. While these studies do not consider transcod-
ing from a censor’s perspective, we are informed by the
transformations they perform as they are illustrative of
the types of COTS tools that might be easily deployed
by censoring countries.
2) Steganography Techniques. Table 1 provides a
summary of the most popular steganography systems,
the specific steganographic techniques that they imple-
ment, and detection strategies known to work against
them. JSteg [35], JP Hide&Seek [25], F5 [37], and
OutGuess [30] embed message bits by manipulating the
quantized DCT coefficients. JSteg with random strad-
dling as well as JP Hide&Seek are detectable using the
generalized χ 2 attack. Fridrich et al. exploit the fact
that F5 predictably affects the shape of the histogram
of DCT coefficients [14]. To defeat OutGuess, Fridrich
et al. define a new metric, called blockiness, that mea-
sures discontinuities along the boundaries of the 8x8
JPEG grid [13]. HUGO [11] implements a variant of
LSB matching that uses STCs to minimize pixel dis-
tortions. However, it has been shown to be vulnerable
to SVM-based classifiers [15]. YASS uses Quantiza-
tion Index Modulation (QIM) that confuses traditional
blind steganalysis schemes by intentionally making no
attempt to minimize embedding impact on the cover im-
age [34], but is detectable through Cartesian calibra-
tion techniques [23]. Finally, UNIWARD introduces a
Wavelet-based universal embedding function for which
there is currently no statistical detection algorithm, but is
vulnerable to transcoding attempts [18].
3) Watermarking Techniques. In general, watermark-
Steganographic Technique Detection Strategies and Metric
LSB encoding χ 2 , histogram symmetry
random LSB encoding χ 2 , histogram symmetry
calibration, histogram shape
redundant bit encoding calibration, reembedding, blockiness
LSB matching w/ STC SVM
randomized embedding Cartesian calibration
universal embedding
ing methods are designed to mark the medium, usually
redundantly, with a relatively small (in bits) identifica-
tion key. Watermarking for copyright protection is most
concerned with preserving the watermark under a variety
of possible image transformations. Hence, watermark-
ing tends to be redundant and has a low bandwidth re-
quirement relative to steganography. Most watermark-
ing methods add the watermark to the underlying image
representation. Because of quantization effects, it is pos-
sible that the relatively small perturbations of the image
representation employed by watermarking would be cor-
rupted by transcoding. This might not affect watermarks
for the purpose of human visual inspection, but this has
an impact on the use of watermarking strategies for rela-
tively higher-bandwidth steganographic communication.
In contrast to most watermarking methods, the approach
we propose exploits the existing processing chain for
JPEG and MPEG to set selected frequency coefficients,
and exploits the stabilization properties of quantization
to improve robustness.
Watermarking in the transform domain first requires
the image to be transformed into frequency or some
other generalized Fourier domain (e.g., DCT [1, 29, 28],
wavelet [32] or Legendre [40]) to exploit invariance or
robustness properties that are characteristic of that do-
main. In addition, most transform-based approaches al-
low one to minimize the perceptual effect of the water-
mark. A common approach [1, 29, 28] embeds the wa-
termark using a weighted sum of DCT coefficients. The
new image representation C0 is given by:
C0 = αC + βW
where C is a coefficient of the original source image, W
is the corresponding coefficient for the watermark, and α
and β are weights that sum to 1. Usually, such schemes
apply the transform over the entire image, but the use
of the DCT is especially attractive since this transform
is used by both JPEG and MPEG. Other basis functions
are available, including the Haar wavelet basis [32], and
the Legendre basis [40]. In [32], the wavelet transform
is applied first, followed by a singular value decomposi-
tion for each band, under the assumption that a perturba-
tion of the singular values of the Haar transformed image
is robust to certain transformations but also tends to be
less perceptible to the human visual system. Otherwise,
the watermark is added to the image representation as
above. This method is, however, an expensive computa-
2
tion compared to JPEG compression or decompression.
In [40], Legendre moments are employed to allow the
watermark to be robust with respect to affine transforms
of the image. This is particularly useful for embedding
watermarks that are designed for human visual inspec-
tion. All of these approaches additively perturb the im-
age representation with the watermark.
More sophisticated embedding algorithms [4] exploit
quantization by noting that the ordering of coefficients
is preserved under quantization, hence this property can
be used to encode individual bits by forcing a particular
ordering across selected frequency components. Our ap-
proach supports a somewhat higher bit rate while being
robust to a variety of transformations.
4) Circumvention and Anti-Censorship Systems.
Collage [3] and MIAB [20] leverage media sharing web-
sites e.g., flickr.com and blog sites to to hide mes-
sages within user-generated photos. The assumption is
that these censors would be hard pressed to block all
of these websites. Their prototype implementations rely
on OutGuess and HUGO for image steganography and
could be substituted with a transcoding-resistant sys-
tem. Infranet [8] and StegoTorus [36] conceal traffic that
would otherwise be blocked within seemingly normal
HTTP traffic. The transcoding resistant image steganog-
raphy techniques that we develop are complementary and
could be used to extend these and other circumvention
proxies such as Flash proxies [9], Telex [39], Decoy
Routing [22], and Cirripede [19].
3 Adversary Model and System Goals
Adversary Model. We assume that the system user is
located in a censored country and is using the system to
communicate with a remote server outside the censored
zone. We assume that the user and remote endpoint have
a shared secret that they could leverage to parameterize
the embedding of the image. This shared secret could
have been obtained through an offline rendezvous pro-
cess [26, 10, 9].
The goal of the adversary is prevent censorship cir-
cumvention by accurately identifying and disrupting any
communication that involves the use of steganographic
images. We assume that the adversary has deep packet
inspection (DPI) capability to eavesdrop on all traffic be-
tween the censored user and the remote endpoint. The
adversary does not care to decrypt the underlying mes-
sage (as its often a TLS stream in the case of Tor plug-
gable transports) and does not have a priori knowledge
of the images that would be used to embed stegano-
graphic content. The adversary may employ various sta-
tistical techniques to distinguish steganographic images
from normal images. Finally, the adversaries could use
image transcoders to transform all uploaded and down-
loaded images. While there are many possible transfor-
mations that could be applied to images (e.g., blurring,
noise additions, rotations etc.), we focus on two com-
3
mon strategies implemented by commodity transcoders:
modifying the JPEG compression metric (q value) and
the spatial geometry.
System Goals. We describe below the specific design
goals of our proposed system:
1. Unobservability – It must be infeasible for an adver-
sary to use automated techniques to distinguish JPEGs
created by our system from normal JPEGs. Unlike most
prior work on steganography, human perceptability, i.e.,
non-distortion of the source cover to a visually unaccept-
able level, is a non-goal of our system.
2. Transcoding Resistance – The system must continue
to be able to transmit data even in the presence of an
adversary who manipulates images in between the sender
and receiver.
3. Usable Performance – The system must provide rea-
sonable bandwidth. Realized bandwidth is directly pro-
portional to the underlying channel capacity or stegano-
graphic overhead. Ideally, the steganographic expansion
factor should be within an order of magnitude.
4 JPEG Overview
The JPEG image format [21] offers a compact way to
store images. It is a lossy compression scheme that saves
space by heavily quantizing or even removing the highest
spatial frequencies in an image. Quantization and com-
pression is applied independently to successive blocks of
an image. For the sake of this paper, we assume with-
out loss of generality that images are grayscale and di-
vided into 8x8 blocks (called “Minimum Coded Units”
or MCUs). Each MCU can be treated as a 64-element
vector of integers that represent pixel intensities. At a
high level, JPEG compression treats each 8x8 MCU in
sequence by first computing a discrete cosine transfor-
mation (DCT) of the pixel values, quantizing the result-
ing frequency coefficients to reduce storage requirements
while preserving “perceptually significant” image fea-
tures, and then Huffman coding the result (see Figure 1).
JPEG compression is controlled by a quality factor. As
quality is lowered, the highest frequencies of the image
are more heavily quantized and ultimately removed.
To embed messages, we exploit the fact that JPEG
compression quantizes and therefore stabilizes certain
frequency components. This in turn can provide a kind of
error correction, since the quantization mapping is many-
to-one. Noise or corruption in the quantized frequency
components of the original image will tend to be stabi-
lized on output by the loss induced by JPEG compres-
sion. This allows the message to survive a number of
different transcoding and filtering operations.
Our message embedding recipe first converts a cover
image I using a quality q into a new JPEG image I 0 . We
then select four heavily quantized DCT frequency com-
ponents fu , fv , fw , fx that can support at least two bits af-
ter quantization. Each byte of the message is then em-
Figure 1: JPEG processing pipeline for compression. The shading in the third box illustrates the effect of quantization
on coefficient magnitude, where white = 0. Higher frequencies (in the lower right) are most heavily quantized.

bedded in successive MCUs by splitting that byte into 14000

Message Error After Transcoding Across JPEG Quality

four 2-bit quantities. The corresponding frequency coef- Base Quality = 30

Base Quality = 50
ficients fu , fv , fw , fx are set to values that, after quantiza- 12000 Base Quality = 70
Base Quality = 90

tion, will fall in the range [-2,1] for each 2-bit value. This 10000
step uses the quantization table that is included with ev-

Hamming Distance (bits)

ery JPEG image to determine the appropriate target fre- 8000

quency coefficient values. Finally, the result is written 6000

emit the result IM as a JPEG-compressed file at quality q,

containing the message M.
4000

Messages are recovered by inverting the recipe, as- 2000

suming knowledge of the base quality level and the fre- 0

quency components that were used for embedding (these
30 40 50 60 70 80 90 100
can be shared secrets). For retrieval, images are first Target JPEG Quality

transcoded back to their base quality level, and then eachFigure 4:Figure 3: Results of transcoding IMquality
Results of transcoding IM from a base quality to a target
fromandaback,base quality to
using a fixed set of frequency
byte is reassembled from each MCU by extracting thecomponents a (target
f10 , f9 . f8 , quality
f3 ). Note thatand back,
by using using
a base quality of 30a(the
fixed setweof
red curve), frequency
achieve nearly perfect message

values of fu , fv , fw , fx and assembling the 2-bit quantitiestransmission over a large range of target quality levels.
into one 8-bit byte. In practice, we use the open-source
libjpeg library, version 6b [24]. This library allows direct
access to the DCT frequency components for any MCU
of a JPEG image, and hence it is straightforward to ma-
nipulate the frequency components directly and output
the result as a JPEG-compressed file.
Steganographic Expansion Factor. We derive the
expansion factor by empirically examining the typical
JPEG files after compression at various quality levels. In
general, the observed compression at quality 30 results in
a 1:6 ratio of message to JPEG file length for the cover
image. After embedding, the JPEG file length will often
increase, depending on the message content, and can be
as much as double the size of the cover JPEG. Thus, we
expect anywhere from a 1:6 to 1:12 ratio of message to
JPEG length.
5 Robustness Experiments
components ( f10 , f9 . f8 , f3 ). By using a base quality of
30 (the red curve), we achieve nearly perfect message
transmission over a large range of target quality levels.
target JPEG quality and then back to the base quality, to
see whether the message survived changes across quality
factors. Figure 3 shows the results, which are generally
independent of the image. Note that error rates are very
close to zero at and above the base quality. For a base
quality of 30, hardly any error is observed on transcoding
across quality levels. The strategy suggested by this plot
is to embed messages using low frequency components
at the lowest quality value that is practical, so that these
components are heavily quantized. Transcoding from a
low quality to a higher quality and back will not degrade
Figure 5: Original Buffalo painting.
the message.
In a second set of experiments, we applied image
6

rescaling to determine the robustness of message trans-

We performed experiments to help us understand the ro-
bustness of this form of message embedding. All of
our experiments were performed using the ImageMagick
“convert” utility. Messages were constructed by draw-
ing each of 3000 bytes in the message from a uniform
distribution over the interval [0, 255]. In all experiments,
we measured the Hamming distance between the origi-
nal message and the recovered message. This provides
us with an error in bits that characterizes our ability to
recover the message through various kinds of transfor-
mation. In the first set of experiments, we chose a base
quality for embedding, and then transcoded IM to a new
mission through image enlargement and reduction. Our
results were heavily dependent on image characteristics.
Highly textured images produced the worst results, most
likely because of cross-MCU bleed-through as a result
of filtering. By default, image rescaling in ImageMag-
ick relies on two filters that are useful for resampling:
the Mitchell filter and the Lanczos filter for image re-
duction. The support for these filters is 2 or 3 pixels in
radius. This means that filtering will cause information
to cross MCU boundaries. The effect is greatest at high
frequencies, causing significant bleed-through. If we se-
lect low frequencies and low quality levels, we can min-

4
Figure 2: Results of embedding a message in four selected frequency components of an image. Left: “Clean” JPEG
images at quality 30; Right: embedding using the highest admissible frequencies;
imize bleed-through across MCUs and at the same time
exploit quantization to stabilize the message. The use of
Mitchell or Lanczos filters for resampling can, to some
extent, be inverted by the use of the “-sharpen” option
(essentially a bandpass filter) for “convert”. More gener-
ally, an impulse response measurement allows us to in-
vert any linear filtering that is present in the transcoding
process, so knowledge of the exact form of the filter is
unnecessary.
In practice, we can get good message recovery by per-
forming an inverse rescaling operation (to bring the im-
age back to its original resolution), coupled with a sharp-
ening operation. Figure 4 (top) shows one plot using a
specific set of frequency components (indices 18, 17, 16,
and 10). Error rates are nearly zero when images are
scaled by > 100%. At a rescaling of 100%, we see errors
simply because the sharpening filter is in use. Recovery
would be perfect, or nearly so, if sharpening were omit-
ted in this case. For scale factors < 100%, there is a range
of scale factors from about 60 − 80%, but only a narrow
range of sharpening sigma within which good error rates
are found. Better results are achieved by moving to lower
frequencies. In Figure 4 (bottom), the frequency indices
are 10, 9, 8, and 3. With these frequencies, message er-
rors are near 0 even in the rescaling range of 75 − 95%,
for a wide range of sharpening sigmas.
In general, a good strategy for message embedding is
to use the lowest quality that is practical. Our approach
to message embedding can tolerate a certain amount of
image reduction, but below 70% reduction, error rates in-
crease. In general, redundant coding or some other form
of error correction (beyond that provided by JPEG itself)
should greatly improve our ability to transmit informa-
tion through image or video media. In the case of image
reduction, we believe that a more thorough study of the
properties of resampling filters can help us improve error
rates. Finally, we note that the method we have described
here is applicable to MPEG, and in particular to I-frame
encoding, which is very similar to JPEG processing.
5
6 System Performance Evaluation
TRIST is implemented as a standalone library in approx-
imately 5900 lines of C code. It extends the widely used
libjpeg [24] library for manipulating JPEG images. To
evaluate the efficacy and overhead of our JPEG embed-
ding scheme, we integrated TRIST into the StegoTorus
pluggable transport as a new steganograpic scheme. The
changes necessary to StegoTorus to support this scheme
were fairly modest (∼350 lines of C code).
To evaluate the system in a reproducible network envi-
ronment, we configured StegoTorus as one-hop SOCKS
proxy in the localhost and used dummynet [31] to in-
duce a specific one-way link delay ranging from 20-100
ms. We then used curl to connect to a local webserver
running on the same machine through StegoTorus (us-
ing SOCKS) and download a 4 MB file. The one-way
delay is introduced in all 3 links. We also repeat each
experiment varying the number of parallel StegoTorus
circuits. We find the results to be promising (shown in
Figure 5), i.e., the introduction of the JPEG steganog-
raphy scheme introduces minimal additional overhead to
StegoTorus. This is encouraging considering the fact that
the JPEG steganography scheme is arguably superior to
other proof-of-concept schemes currently implemented
by StegoTorus.
Next, we compare the performance of the JPEG
steganography scheme with each of the other steganog-
raphy schemes implemented by StegoTorus (shown in
Figure 5). Here, we vary the one-way link delay from
20-400 ms and fix the number of circuits to be 4. We
find that the throughput of current JPEG steganography
scheme falls in between that of PDF and JSON schemes.
JavaScript performs best and SWF performs worst, while
JSON and SWF schemes are least sensitive to link delay.
We suspect that the relative insensitivity of JSON and
SWF to link delays is because the file sizes transmitted
by the StegoTorus server in these cases is much smaller
than that of the other schemes. There is clearly room
for additional optimization for the JPEG steganography
 Figure 8: Lanczos filters, used by ImageMagick for image rescaling with scale factors < 100%. Bit Error for Rescaling from 50-150%, freq=10,9,8,3

q=30

Bit Error for Rescaling from 50-150%, freq=18,17,16,10

q=30

Hamming Distance (bits)

Hamming Distance (bits)

12000
12000 10000
8000
10000 6000
8000 4000
2000
6000 0
4000 150
2000 140
0.65 130
0
0.7 120
150 110
140 0.75
130 100
120 0.8 )
0 0.1 110 Sh 90 (%
100 arp
0.2 0.3 90 (%
) en 0.85
80 ale
0.4 0.5 80 ing Sc
0.6 0.7 70 ale Sig 0.9 70
Sharp
ening 0.8 0.9 60 Sc ma
0.95 60
Sigma 1 50
1 50

Figure 4: Left: Error as a function of sharpening sigma and image scale percentage. For this survey, frequency
Figurecomponents
Figure 9: Error as a function of sharpening sigma and image scale percentage. For this survey, frequency 10: Error as a function of sharpening sigma and image scale percentage. For this survey, frequency components
18,17,16, and 10 were used. 10, 9, 8, and 3 were used. These are lower frequency components than in the previous plot, and exhibit a broader range
components 18,17,16, and 10 were used. Right: Error as performance.
of good a function of sharpening sigma and image scale percentage.
For this survey, frequency components 10, 9, 8, and 3 were used. These are lower frequency components than in the
8
previous plot, and exhibit a broader range of good performance.
Actual vs. Estimated Message Length
8000
Quality 30
scheme in terms of embedding data in more than four fre- 6000

quencies, tuning the quality levels etc. Evaluating these 4000

strategies in greater detail is future work. Estimated Length (bytes) 2000

7 Statistical Attacks and Limitations 0

-2000
9
We evaluate resilience of TRIST against three broad -4000
classes of attacks that have been employed against JPEG -6000
steganographic systems.
Histogram Divergence: (χ 2 ) Attack. The χ 2 attack
-8000

-10000
uses first order statistics to detect the change in histogram 0 5000 10000 15000 20000 25000 30000 35000 40000
Message Length (bytes)
between the normal and stegged image. Specifically, Figure 6: Message length estimates obtained using the
Westfeld and Pfitzmann developed an attack that detects blockiness measure, obtained by embedding the message
LSB encoding variants using predictable pair-of-values at quality 30 and then transcoding up to quality 90 for a
(POVs) in the frequency histograms [38]. TRIST is not range of message lengths from 1-39 KB using 20 cover
vulnerable to the POV χ 2 attack since it does not use images from the BOSS dataset [2].
LSB encoding. In addition, we performed some prelim-
inary experiments to see whether there were any statis-
tically significant differences in the distributions of fre-
quency coefficients between steg and cover images, us- mator described in [13] and averaged the results over sev-
ing default frequency selections. We performed these eral cover images. We experimented with various qual-
tests for each of the 64 frequency components and were ity levels for embedding, and found that if a message is
not able to detect a difference with the Kolmogorov- embedded at a low quality (e.g., 30) and the resulting im-
Smirnoff test [17]. One possible explanation is that by age is transcoded up to quality 90 (e.g., using ‘convert’),
default, TRIST restricts its operation to the most heavily the blockiness test no longer reliably determines message
quantized frequencies. These frequencies have very few length. Figure 6 illustrates this effect for a range of mes-
categories to begin with, and the resulting post-steg dis- sage lengths from 0 to the maximum (around 39 KB).
tributions have a narrow peak centered about 0. Thus it Blind Steganalysis. There has been a recent trend to-
may be difficult to use basic histogram-based statistical ward developing universal steganalysis tools that com-
attacks to defeat TRIST. bine first and second order classifiers to detect stegano-
Blockiness Detection. One attack that has proven suc- graphic images [23]. While we have not experimented
cessful against many steganography schemes is the self- against such systems, we anticipate that such attacks are
calibrated blockiness measure proposed in [13]. Our likely possible against our system. However, these at-
approach may also be vulnerable to this attack, since tacks rely on large feature vectors and tend to be compu-
the changes that we insert in the frequency domain are tationally more expensive than prior attacks. Evaluating
much more significant than just the LSB. We imple- vulnerability to and building resilience to such attacks is
mented the blockiness measure and message length esti- future work.

6
 140  
200  
jpeg  
120  
js  
pdf  
100  
150   swf  
json  

Bandwidth  (kbps)  
80  

Bandwidth  (kbps)  
     ST  (20  ms)  
100  
60  
     ST  (100  ms)  

40  
     ST  +  jpg  (20  ms)  
50  
20        ST  +  jpg  (100  ms)  

0   0  
1   2   3   4   0   50   100   150   200   250   300   350   400  
Number  of  StegoTorus  circuits  
Link  Delay  (ms)  

Figure 5: Left: Comparing StegoTorus thorughput with and without the JPEG steganographic scheme as we vary
the number of circuits from 1 to 4 and the one-way propagation delay from 20 to 100 ms. JPEG steganography
scheme has minimal impact on the performance of StegoTorus. Right: Comparing StegoTorus thorughput of various
steganographic schemes (JavaScript, JSON, PDF, SWF and JPEG) as we vary the link delay from 20 to 400 ms.

8 Conclusion and Future Work material are those of the author(s) and do not necessar-
ily reflect the views of the Defense Advanced Research
TRIST introduces a new twist to the standard steganog-
Project Agency or Space and Naval Warfare Systems
raphy problem (i.e., transcoding resistance) and applies it
Center Pacific. Distribution Statement A: Approved for
to the censorship circumvention domain, which is an area
Public Release, Distribution Unlimited.
of active research. An important challenge, associated
with application of image steganography to this domain, References
is that of the channel bandwidth (i.e., would the real- [1] M. Bardi, F. Bartolini, V. Cappellini, and A. Piva. A dct-
ized bandwidth be sufficient to sustain seamless web surf- domain system for robust image watermarking. Signal
ing?). We address this problem through the development Processing, 66:357–372, 1998.
of a new JPEG steganographic technique that provides [2] P. Bas, T. Filler, and T. Pevný. Break our steganographic
improved robustness against automated transcoders by system — the ins and outs of organizing boss. In Informa-
selectively modifying heavily quantized frequency com- tion Hiding, 13th International Workshop, Lecture Notes
ponents at low JPEG quality values. Our experimen- in Computer Science, 2011.
tal evaluations demonstrate that we can robustly em- [3] S. Burnett, N. Feamster, and S. Vempala. Chipping away
bed information across various images and this infor- at censorship firewalls with user-generated content. In
mation survives a number of transformations, including Proceedings of the 19th USENIX Conference on Security,
transcoding to higher quality and rescaling of the image. USENIX Security’10, 2010.
There are several potential areas of future work includ- [4] C. Candan. A transcoding robust data hiding method
ing (i) developing schemes that are resilient to other im- for image communication applications. In Proceedings
age transformations (e.g., rotations, smoothing etc.), (ii) of IEEE International Conference on Image Processing,
integrating with other anti-censorship techniques such 2005.
as Collage [3], MIAB [20] and FTE Proxy [7] and (iii) [5] S. Chandra and C. S. Ellis. Jpeg compression metric as
extending our strategies to JPEG-like encoding in other a quality-aware image transcoding. In Proceedings of
multimedia formats such as MPEG I-frames and shock- the 2Nd Conference on USENIX Symposium on Internet
wave flash files. Finally, steganography and censorship Technologies and Systems, USITS’99, 1999.
are both cat-and-mouse games and we anticipate that ad- [6] S. Chandra, A. Gehani, C. S. Ellis, and A. Vahdat.
versaries will develop new strategies to detect and disrupt Transcoding characteristics of web images. In SPIE Con-
our steganographic schemes. We view these as a natural ference on Multimedia Computing and Networking, 2001.
evolution of the arms race and look forward to them as
[7] K. P. Dyer, S. E. Coull, T. Ristenpart, and T. Shrimp-
exciting opportunities to further improve our system. ton. Protocol misidentification made easy with format-
transforming encryption. In Proceedings of the 2013
9 Acknowledgments ACM SIGSAC Conference on Computer Communications
We acknowledge helpful comments and feedback on this Security, CCS ’13, 2013.
work from Drew Dean and Michael Walker. This ma- [8] N. Feamster, M. Balazinska, G. Harfst, H. Balakrishnan,
terial is based upon work supported by the Defense Ad- and D. Karger. Infranet: Circumventing web censorship
vanced Research Projects Agency (DARPA) and Space and surveillance. In Proceedings of the 11th USENIX Se-
and Naval Warfare Systems Center Pacific under Con- curity Symposium, 2002.
tract No. N66001-11-C-4022. Any opinions, findings, [9] D. Fifield, N. Hardison, J. Ellithorpe, E. Stark, R. Dingle-
and conclusions or recommendations expressed in this dine, P. Porras, and D. Boneh. Evading Censorship with

7
 Browser-Based Proxies. In Privacy Enhancing Technolo-
gies, 2012.
[10] D. Fifield, G. Nakibly, and D. Boneh. Oss: Using on-
line scanning services for censorship circumvention. In
Privacy Enhancing Technologies, 2013.
[11] T. Filler and J. Fridrich. Design of adaptive stegano-
graphic schemes for digital images. In Proc. SPIE, 2011.
[12] Flickr. http://www.flickr.com, 2014.
[13] J. Fridrich, M. Goljan, and D. Hogea. Attacking the out-
guess. In ACM Workshop on Multimedia and Security,
2002.
[14] J. Fridrich, M. Goljan, and D. Hogea. Steganalysis of jpeg
images: Breaking the f5 algorithm. In in 5th International
Workshop on Information Hiding, 2002.
[15] G. Gul and F. Kurugollu. A new methodology in ste-
ganalysis: Breaking highly undetectable steganography
(hugo). In Proceedings of 13th International Workshop
on Information Hiding, 2011.
[16] R. Hand, P. Bhagwat, R. LaMaire, T. Mummert, V. Perret,
and J. Rubas. Dynamic adaptation in an image transcod-
ing proxy for mobile web browsing. In IEEE Personal
Communications, 1998.
[17] M. Hazewinkel. Kolmogorov-smirnov test. Encyclopedia
of Mathematics, 2001.
[18] V. Holub and J. Fridrich. Digital image steganography us-
ing universal distortion. In Proceedings of the First ACM
Workshop on Information Hiding and Multimedia Secu-
rity, MMSec ’13, 2013.
[19] A. Houmansadr, G. T. Nguyen, M. Caesar, and
N. Borisov. Cirripede: Circumvention Infrastructure us-
ing Router Redirection with Plausible Deniability. In Pro-
ceedings of the 18th ACM conference on Computer and
communications security, pages 187–200, 2011.
[20] L. Invernizzi, C. Kruegel, and G. Vigna. Message in a
bottle: Sailing past censorship. In Proceedings of the 29th
Annual Computer Security Applications Conference, AC-
SAC, 2013.
[21] Joint Photographic Experts Group. http://www.jpeg.org,
2014.
[22] J. Karlin, D. Ellard, A. Jackson, C. E. Jones, G. Lauer,
D. P. Makins, and W. T. Strayer. Decoy Routing: Toward
Unblockable Internet Communication. In USENIX Work-
shop on Free and Open Communications on the Internet,
2011.
[23] J. Kodovsky, T. Pevny, and J. Fridrich. Modern steganal-
ysis can detect yass. In SPIE, Electronic Imaging, Media
Forensics and Security XII, 2010.
[24] T. Lane and Independent JPEG Group.
http://libjpeg.sourceforge.net, 2014.
[25] A. Latham. http://linux01.gwdg.de/ alatham/stego.html,
2014.
[26] P. Lincoln, I. Mason, P. Porras, V. Yegneswaran, Z. Wein-
berg, J. Massar, W. A. Simpson, P. Vixie, and D. Boneh.
Bootstrapping communications into an anti-censorship
system. In 2nd USENIX Workshop on Free and Open
Communications on the Internet, 2012.
[27] H. M. Moghaddam, B. Li, M. Derakhshani, and I. Gold-
berg. Skypemorph: protocol obfuscation for tor bridges.
In ACM Conference on Computer and Communications
Security, 2012.
[28] S. P. Mohanty and E. Kougianos. Real-time perceptual
watermarking architectures for video broadcasting. Jour-
nal of Systems and Software, 84:724–738, 2011.
[29] A. Poljicak, L. Mandic, and D. Agic. Discrete fourier
transform-based watermarking method with an optimal
implementation radius. Journal of Electronic Imaging,
20(3), 2011.
[30] N. Provos. Defending against statistical steganalysis. In
10th USENIX Security Symposium, pages 323–335, 2001.
[31] L. Rizzo. Dummynet: A simple approach to the evalua-
tion of network protocols. ACM Computer Communica-
tion Review, 27:31–41, 1997.
[32] V. Santhi and D. A. Thangavelu. DWT-SVD combined
full band robust watermarking technique for color images
in YUV color space. International Journal of Computer
Theory and Engineering, 1(4):424–429, 2009.
[33] A. Savant, N. Memon, and T. Suel. On the scalability
of an image transcoding proxy server. In International
Conference on Image Processing, 2003.
[34] K. Solanki, A. Sarkar, and B. S. Manjunath. Yass: yet an-
other steganographic scheme that resists blind steganaly-
sis. In 9th International Workshop on Information Hiding,
2007.
[35] D. Upham. Jpeg-jsteg - modification of the in-
dependent JPEG group’s JPEG software (release
4) for 1-bit steganography in jfif output files.
http://www.tiac.net/usres/lorejwa/jsteg.htm, 1997.
[36] Z. Weinberg, J. Wang, V. Yegneswaran, L. Briesemeis-
ter, S. Cheung, F. Wang, and D. Boneh. Stegotorus: A
camouflage proxy for the tor anonymity system. In Pro-
ceedings of the 2012 ACM Conference on Computer and
Communications Security, CCS ’12, 2012.
[37] A. Westfeld. F5 – a steganographic algorithm: High
capacity despite better steganalysis. In 4th Interna-
tional Workshop on Information Hiding, pages 289–302.
Springer-Verlag, 2001.
[38] A. Westfeld and A. Pfitzmann. Attacks on steganographic
systems. In Proceedings of the Third International Work-
shop on Information Hiding, IH ’99, pages 61–76, 2000.
[39] E. Wustrow, S. Wolchok, I. Goldberg, and J. A. Halder-
man. Telex: Anticensorship in the Network Infrastruc-
ture. In Proceedings of the 20th USENIX Security Sym-
posium, pages 459–473, 2011.
[40] H. Zhang, H. Shu, G. Coatrieux, J. Zhu, Q. M. J. Wu,
Y. Zhang, H. Zhu, and L. Luo. Affine legendre mo-
ment invariants for image watermarking robust to geo-
metric distortions. IEEE Transactions on Image Process-
ing, 20(8):2189–2199, 2011.